Analysis Overview
SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
Threat Level: Known bad
The file CFXBypass.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
Lumma family
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 15:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 15:03
Reported
2024-11-08 15:07
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe
"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"
Network
Files
memory/2148-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp
memory/2148-1-0x0000000000F60000-0x0000000000FF0000-memory.dmp
\Users\Admin\AppData\Roaming\msvcp110.dll
| MD5 | 9bc424be13dca227268ab018dca9ef0c |
| SHA1 | f6f42e926f511d57ef298613634f3a186ec25ddc |
| SHA256 | 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2 |
| SHA512 | 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715 |
memory/2148-6-0x00000000759B0000-0x0000000075A71000-memory.dmp
memory/2148-7-0x0000000074C20000-0x000000007530E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 15:03
Reported
2024-11-08 15:06
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3576 set thread context of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe
"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaddrermncomplai.shop | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | racedsuitreow.shop | udp |
| US | 8.8.8.8:53 | defenddsouneuw.shop | udp |
| US | 8.8.8.8:53 | deallyharvenw.shop | udp |
| US | 8.8.8.8:53 | priooozekw.shop | udp |
| US | 8.8.8.8:53 | pumpkinkwquo.shop | udp |
| US | 8.8.8.8:53 | abortinoiwiam.shop | udp |
| US | 8.8.8.8:53 | surroundeocw.shop | udp |
| US | 8.8.8.8:53 | covvercilverow.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3576-0-0x000000007520E000-0x000000007520F000-memory.dmp
memory/3576-1-0x0000000000920000-0x00000000009B0000-memory.dmp
memory/3576-2-0x0000000075200000-0x00000000759B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\msvcp110.dll
| MD5 | 9bc424be13dca227268ab018dca9ef0c |
| SHA1 | f6f42e926f511d57ef298613634f3a186ec25ddc |
| SHA256 | 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2 |
| SHA512 | 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715 |
memory/4376-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4376-9-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4376-14-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3576-15-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/3576-13-0x0000000075200000-0x00000000759B0000-memory.dmp